Security check with WebTrends
by Chris Taylor
I have written several articles for the Ottawa PC
News that touched at least a bit on how your
computer is vulnerability to attack from folks on
the Internet. The most common means of defending
your computer is to use a personal firewall
product or intrusion detection software such as
BlackICE Defender, WinRoute, ZoneAlarm, Sybergen
Secure Desktop, or Norton Internet Security.
But I have been asked before how
to determine the level of risk and just how
vulnerable your machine is. I wrote in the
October 2000 issue of Ottawa PC News about using
a port scanner to check your machine for open
ports. But that only tells part of the story. To
really see the complete picture, you need to use
software designed to look for vulnerabilities
beyond just simple open ports.
Generally, these packages are out
of the financial reach of individuals. They typically are
licensed on a per-year basis at rates running into the
tens of thousands of dollars.
WebTrends has released their popular
WebTrends Security Analyzer (WTSA) free for personal use.
The free version allows you to scan up to ten hosts on
your local subnet. You can download a copy from their Web
site (www.webtrends.com) or from PUB II in the
Miscellaneous Utilities file area. If you get it from PUB
II, there are three files; wtsacons.exe (the main program),
wtsaaw32.exe (the agent for Win32 machines. Required if
you want to scan one machine from
another), and wtsadocs.pdf (the documentation in Adobe
When you install WTSA and run it the
first time, it offers to update itself from the WebTrends
site. Let it do this, even if you download the program
directly from WebTrends, as there will always be updates.
Be sure to review the documentation. This
is a quite involved program and you are not likely to get
the most from it simply by running it and trying it out.
The documentation explains the program quite well and
will help you make more effective use of WTSA.
I first ran WTSA on a stock Windows 2000
Professional machine running on FAT32 drives. It was in a
workgroup (as opposed to belonging to a domain). I told
WTSA to do a complete scan for all vulnerabilities and
went away for supper while it chugged away.
When I returned, I was a little surprised
to discover that WTSA had found 454 vulnerabilities; 36
high risk, 318 medium risk, and 100 low-risk. When I
asked it to generate a complete report in Word format,
the final document was 160- pages long!
I calmed down a bit once I started
reading about the vulnerabilities found. Many of them
were really just flagging possible issues. For example,
TWSA found that Napster had been installed and stated
"Users of Napster can seriously tie up your
company's network bandwidth."
Some vulnerabilities were kind of
unavoidable. WTSA noted that the guest account had access
to various files and folders. Well, gee whiz, I am
running Win2K on FAT32, so it is kind of hard to limit
access. But it might make me rethink staying with FAT32,
WTSA did find lots of vulnerabilities I
was not aware of and could fix, given a bit of time and
effort. It found that the installed version of
HyperTerminal had a buffer overflow problem. It found I
was not protected against all the latest Internet
Explorer exploits. WTSA also found "Distributed COM
(DCOM) enabled". The details tab states "Distributed
Component Object Model (DCOM) is a complex way of
executing code on remote machines. It has been shown to
be insecure. There are many attacks which exploit DCOM,
so a secure system should disallow DCOM altogether."
I am pretty sure I have no need for DCOM, so I should be
able to disable it.
Some of the low risk vulnerabilities
seemed downright bizarre. For example, by default Windows
2000 allows any program to access the files on a CD-ROM.
Hmmm...I sort of wonder about the circumstances where
this would truly be a problem. And what would happen if
you decide to disable this behaviour?
Amusingly, one of the vulnerabilities was
that it found WebTrends Security Analyzer Application and
the details stated "The presence of unauthorized
security scanners on your network could be an indication
an unauthorized use of your resources for hacking.
Hackers use security scanners to detect vulnerable
systems. A secure corporate environment only allows the
use of security scanners by authorized personnel."
You should be really careful about "fixing"
the issues listed by WTSA. While it does a really good
job of listing tons of things that might be a problem, it
does not go out of its way to tell you when and where
changes are really appropriate. If you were to close off
all vulnerabilities, you will have killed an awful lot of
the functionality of your computer.
Still, it is nice to know where potential
problems are. WebTrends Security Analyzer is a terrific
way to find where you may be at risk. In most cases, it
presents a reasonable level of information about the
vulnerabilities along with the means to eliminate the
risk. A very interesting product and the price is
WebTrends Security Analyzer (Proprietary)
Originally published: Januray, 2001
top of page